linux-yocto: Add kernel hardening by default

Add kernel hardening options based on the Kernel Self Protection Project recommendations [1] and set them in the default kernel. [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>

linux-yocto: Add kernel hardening by default
Add kernel hardening options based on the Kernel Self Protection Project recommendations [1] and set them in the default kernel. [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
19fac127 · Marta Rybczynska · Davide Ricci · 464a2780 · 19fac127 · 19fac127
Commit 19fac127 authored 3 years ago by Marta Rybczynska Committed by Davide Ricci 3 years ago
--- a/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
+++ b/meta-ohos-core/recipes-kernel/linux/linux-yocto-all.inc
@@ -5,6 +5,15 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"

 SRC_URI += "file://misc.cfg"
+SRC_URI += "file://hardening_allocator.cfg"
+SRC_URI += "file://hardening_allocator_perf.cfg"
+SRC_URI += "file://hardening_disable_misc.cfg"
+SRC_URI += "file://hardening_dmesg.cfg"
+SRC_URI += "file://hardening_fortify_source.cfg"
+SRC_URI += "file://hardening_memory.cfg"
+# SRC_URI += "file://hardening_oops.cfg"
+SRC_URI += "file://hardening_usercopy.cfg"
+SRC_URI += "file://hardening_validation_checks.cfg"

 # For the gcc-plugins build of the kernel we need to ensure the right include
 # path for headers is picked up to use the natively build dependencies.

--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Randomize freelist order. Reduces predictability of the kernel slab allocator
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+#
+# Randomize the page allocator. Can improve performance
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_allocator_perf.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Fill pages with poison when freed. Requires page_poison=1 at the kernel boot
+CONFIG_PAGE_POISONING=y
+CONFIG_PAGE_POISONING_NO_SANITY=y
+CONFIG_PAGE_POISONING_ZERO=y
+#
+# Zero memory when allocated. Can disable with init_on_alloc=0 on the kernel boot
+# Might have performance impact
+CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
+# Zero memory when freed. Can disable with init_on_free=0 on the kernel boot
+# Can have performance impact
+CONFIG_INIT_ON_FREE_DEFAULT_ON=y
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_disable_misc.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_disable_misc.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Make sure heap randomization is enabled
+# CONFIG_COMPAT_BRK is not set
+
+# Remove /proc/kcore
+# CONFIG_PROC_KCORE is not set
+
+# Disable wrapped binary formats
+# CONFIG_BINFMT_MISC is not set
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_dmesg.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Restict unprivlidged users from reading the kernel dmesg
+CONFIG_SECURITY_DMESG_RESTRICT=y
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_fortify_source.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Detect buffer overflows on string and memory functions, when the compiler
+# can verify the buffer sizes
+CONFIG_FORTIFY_SOURCE=y
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_memory.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Report dangerous memory permissions W+X (write+execute) at boot time
+# Output is in the dmesg log
+CONFIG_DEBUG_WX=y
+
+# Disable access to all memory for root
+# CONFIG_DEVMEM is not set
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_oops.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_oops.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Always panic when get an oops
+CONFIG_PANIC_ON_OOPS=y
+CONFIG_PANIC_TIMEOUT=-1
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_usercopy.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Perform boundary checks on memory when copying to/from the kernel.
+# Also disable whitelisting with the above check
+CONFIG_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
--- a/meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg
+++ b/meta-ohos-core/recipes-kernel/linux/linux/hardening_validation_checks.cfg
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Needed for CONFIG_SCHED_STACK_END_CHECK
+CONFIG_DEBUG_KERNEL=y
+
+# Validate common data structures
+# add CONFIG_DEBUG_CREDENTIALS=y
+CONFIG_DEBUG_NOTIFIERS=y
+CONFIG_DEBUG_LIST=y
+CONFIG_DEBUG_SG=y
+
+# Do a BUG() if a data corruption is detected
+CONFIG_BUG_ON_DATA_CORRUPTION=y
+# Check stack overflow when calling schedule()
+CONFIG_SCHED_STACK_END_CHECK=y